Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Fortress in the Cloud
Simone Brunozzi,
AWS Technology Evangelist, APAC
Certifications & Accreditations
Sarbanes-Oxley (SOX) complianceISO 27001 CertificationPCI DSS Level I CertificationHIPAA compliant architectureSAS 70 Type II AuditFISMA Low ATO
Pursuing FISMA Moderate ATO
Pursuing DIACAP MAC II I -Sensitive
FedRAMP
Service Health Dashboard
Shared Responsibility Model
Customer/SI Partner/ISV controls guest OS-level security, including patching and maintenanceApplication level security, including password and role based accessHost-based firewalls, including Intrusion Detection/Prevention Systems Encryption/Decryption of data. Hardware Security ModulesSeparation of Access
Physical SecurityMulti-level, multi-factor controlled access environmentControlled, need-based access for AWS employees (least privilege)
Management Plane Administrative Access Multi-factor, controlled, need-based access to administrative hostAll access logged, monitored, reviewedAWS Administrators DO NOT have access inside a customer’s VMs, including applications and data
AWS Cloud Security Model Overview
VM SecurityMulti-factor access to Amazon AccountInstance Isolation
• Customer-controlled firewall at the hypervisor level
• Neighboring instances prevented access
• Virtualized disk management layer ensure only account owners can access storage disks (EBS)
Support for SSL end point encryption for API calls
Network SecurityInstance firewalls can be configured in security groups; The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or Classless Inter-Domain Routing (CIDR) block).Virtual Private Cloud (VPC) provides IPSec VPN access from existing enterprise data center to a set of logically isolated AWS resources
AWS Computing Platform
AWS Security Resources
• http://aws.amazon.com/security/• Security Whitepaper• Risk and Compliance Whitepaper• Latest Versions May 2011• Regularly Updated• Feedback is welcome
AWS CertificationsShared Responsibility ModelSarbanes-Oxley (SOX) ISO 27001 CertificationPayment Card Industry Data Security Standard (PCI DSS) Level 1 CompliantSAS70 Type II Audit FISMA A&As
Multiple NIST Low Approvals to Operate (ATO)
Actively pursuing NIST Moderate, completed ST&E
FedRAMP
DIACAP MAC III Sensitive IATO Customers have deployed various compliant applications such as HIPAA (healthcare)
SAS70 Type IIWe publish a Statement on Auditing Standards No. 70 (SAS
70) Type II Audit report every six months and maintains a favorable unbiased and unqualified opinion from its independent auditors.
AWS identifies those controls relating to the operational performance and security to safeguard customer data.
Auditors evaluate the design of the stated control objectives and control activities and attest to the effectiveness of their design. They also audit the operation of those controls, attesting that the controls are operating as designed. This report is available to customers under NDA who require a SAS70 Type II to meet their own audit and compliance needs.
ISO 27001
AWS has achieved ISO 27001 certification of our Information Security Management System (ISMS) covering AWS infrastructure, data centers in all regions worldwide;Services: Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3) and Amazon Virtual Private Cloud (Amazon VPC).
PCI DSS Level 1
AWS has been successfully validated as a Level 1 service provider under the most recently published Payment Card Industry (PCI) Data Security Standard (DSS). Merchants and other service providers can run their applications on our PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud. Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), Amazon Elastic Block Storage (EBS) and Amazon Virtual Private Cloud (VPC) are included in the PCI compliance validation.
Physical Security
Amazon has been building large-scale data centers for many years
Important attributes:
Non-descript facilities
Robust perimeter controls
Strictly controlled physical access
2 or more levels of two-factor authControlled, need-based access for
AWS employees (least privilege)All access is logged and reviewed
Fault Separation and Geographic Diversity
Amazon CloudWatch
Auto
Scali
ng
Elastic Load Balancing
Note: Conceptual drawing only. The number of Availability Zones may vary
EU Region (IRE)
Availability
Zone A
Availability
Zone B
US East Region (N. VA)
Availability
Zone A
Availability
Zone C
Availability
Zone B
APAC Region(Tokyo)
Availability
Zone A
Availability
Zone B
US West Region (N. CA)
Availability
Zone A
Availability
Zone B
APAC Region(Singapore)
Availability
Zone B
Availability
Zone A
Data Backups
Data in Amazon S3, Amazon SimpleDB, and Amazon EBS is stored redundantly in multiple physical locations
EBS redundancy in a single Availability Zone
Amazon S3 and Amazon SimpleDB replicate customer objects across storage systems in multiple Availability Zones to ensure durability
Data stored on Amazon EC2 local disks must be proactively copied to Amazon EBS or Amazon S3 for redundancy
• Enables a customer to create multiple Users
and manage the permissions for each of
these Users.
• Secure by default; new Users have no access
to AWS until permissions are explicitly
granted.
Us
• AWS IAM enables customers to minimize the
use of their AWS Account credentials.
Instead all interactions with AWS Services
and resources should be with AWS IAM User
security credentials.er
• Customers can enable MFA devices for their
AWS Account as well as for the Users they
have created under their AWS Account with
AWS IAM.
AWS Identity and Access Management
AWS Multi-Factor Authentication
A recommended opt-in security feature of your Amazon Web Services (AWS) account
AWS MFA Benefits
Helps prevent anyone with unauthorized knowledge of your e-mail address and password from impersonating youRequires a device in your physical possession to gain access to secure pages on the AWS Portal or to gain access to the AWS Management ConsoleAdds an extra layer of protection to sensitive information, such as your AWS access identifiersExtends protection to your AWS resources such as Amazon EC2 instances and Amazon S3 data
Amazon EC2 Security
Host operating system
Individual SSH keyed logins via bastion host for AWS admins
All accesses logged and audited
Guest operating system
Customer controlled at root level
AWS admins cannot log in
Customer-generated keypairs
Stateful firewall
Mandatory inbound firewall, default deny mode
Signed API calls
Require X.509 certificate or customer’s secret AWS key
Amazon EC2 Instance Isolation
Physical Interfaces
Customer 1
Hypervisor
Customer 2 Customer n…
…Virtual Interfaces
Firewall
Customer 1Security Groups
Customer 2Security Groups
Customer nSecurity Groups
Virtual Memory & Local Disk
Amazon EC2Amazon EC2InstancesInstances
Amazon EC2Amazon EC2InstanceInstance
Encrypted Encrypted
File SystemFile System
Encrypted Encrypted
Swap FileSwap File
•• Proprietary Amazon disk management prevents one Instance from Proprietary Amazon disk management prevents one Instance from
reading the disk contents of anotherreading the disk contents of another•• Local disk storage can also be encrypted by the customer for an Local disk storage can also be encrypted by the customer for an added added
layer of securitylayer of security
Network Traffic Flow Security
Amazon EC2Amazon EC2InstancesInstances
Amazon EC2Amazon EC2InstanceInstance
Encrypted Encrypted
File SystemFile System
Encrypted Encrypted
Swap FileSwap File
iptables
iptables
Amazon
Security
Group
sAmazon
Security
Group
sInbound TrafficInbound Traffic
•• Inbound traffic must be explicitly specified by protocol, port, Inbound traffic must be explicitly specified by protocol, port, and and
security groupsecurity group•• iptables may be implemented as a completely user controlled secuiptables may be implemented as a completely user controlled security rity
layer for granular access control of discrete hosts, including olayer for granular access control of discrete hosts, including other ther
Amazon Web Services (Amazon S3/SimpleDB, etc.)Amazon Web Services (Amazon S3/SimpleDB, etc.)
Multi-tier Security Architecture Web Tier
Application Tier
Database Tier
EBS VolumePorts 80 and 443 only
open to the Internet
Engineering staff have
ssh access to the App Tier,
which acts as Bastion
All other Internet ports
blocked by default
Authorized 3rd
parties can
be granted ssh access to
select AWS resources, such
as the Database Tier
Amazon EC2
Security Group
Firewall
AWS employs a private network with
ssh support for secure access
between tiers and is configurable to
limit access between tiers
Network Security ConsiderationsDDoS (Distributed Denial of Service):
Standard mitigation techniques in effect
MITM (Man in the Middle):
All endpoints protected by SSL
Fresh EC2 host keys generated at boot
IP Spoofing:
Prohibited at host OS level
Unauthorized Port Scanning:
Violation of AWS TOS
Detected, stopped, and blocked
Ineffective anyway since inbound ports blocked by default
Packet Sniffing:
Promiscuous mode is ineffective
Protection at hypervisor level
Configuration Management:
Configuration changes are authorized, logged, tested, approved, and documented. Most updates are done in such a manner that they will not impact the customer. AWS will communicate with customers, either via email, or through the AWS Service Health Dashboard (http://status.aws.amazon.com/) when there is a chance that their Service use may be affected.
Network Traffic Confidentiality
Amazon EC2 Amazon EC2
InstancesInstances
Amazon EC2Amazon EC2InstanceInstance
Encrypted Encrypted
File SystemFile System
Encrypted Encrypted
Swap FileSwap File
•• All traffic should be cryptographically controlledAll traffic should be cryptographically controlled•• Inbound and outbound traffic to corporate networks should be Inbound and outbound traffic to corporate networks should be
wrapped within industry standard VPN tunnels (option to use Amazwrapped within industry standard VPN tunnels (option to use Amazon on
VPC)VPC)
Corporate Corporate
NetworkNetwork
Internet TrafficInternet Traffic
VPNVPN
Customer’s Network
Amazon Web ServicesCloud
Secure VPN Connection over the Internet
Subnets
Customer’s isolated AWS resources
Amazon VPC
RouterVPN
Gateway
Amazon VPC Capabilities
Create an isolated environment within AWSEstablish subnets to control who and what can access your resourcesConnect your isolated AWS resources and your IT infrastructure via a VPN connectionLaunch AWS resources within the isolated networkUse your existing security and networking technologies to examine traffic to/from your isolated resourcesExtend existing security/management policies within your IT to your isolated AWS resources as if they were running within your infrastructure
Amazon VPC Network Security Controls
Amazon S3 Security• Access controls at bucket and
object level:– Read, Write, Full
• Bucket Policies– Conditional rules based on
account, request IP etc.• Customer Encryption
– SSL Supported• Durability 99.999999999% • Availability 99.99%• Versioning (MFA Delete)• Detailed Access Logging • Storage Device Decommissioning
– NIST 800-88 methods
Amazon Relational Database Service Security
Access based on Database Security Groups
Default Deny All – Allowances by:
• IP range• EC2 Security Group
SSL to protect data in transitUser created with AWS IAM only has access to the operations and domains for which they have been granted permission via policy
Amazon SimpleDB Security
Access based on AWS account IDDomains accessible based on ACL SSL to protect data in transitUser created with AWS IAM only has access to the operations and domains for which they have been granted permission via policyEncrypt data elements not used as keys
*Note: That encrypting data elements limits your ability to select those fields as retrieval keys.
Amazon SQS Security
Scalable Message Queuing ServiceDesigned to be highly available, reliable and durableAccess based on AWS account ID, APL and AWS IAM
Access Policy Language enables the creation of complex rules to enable access to queues based on identity (AWS account number), source IP address, date, time, and more.
AWS IAM user however only has access to the operations and queues which they have been granted access to via policy
SSL to protect data in transit
Amazon CloudFront Security
API is only accessible via SSL-encrypted endpoints and must be authenticatedOrigin data stored in Amazon S3Private content option will only deliver files authorized by securely signed requests
Data Security and Durability provided by Amazon S3Comprehensive access logs Configurable for https only downloads
Amazon Elastic MapReduce SecurityAccess based on AWS account IDAuthenticated APIsSets up Security Groups:
Master Node external access only via SSH
Slave Nodes don’t allow external accessSSL is used to protect data in transit to and from Amazon S3